Application of Quantum
Cryptography
Nov. 2, 2010
Speaker: Chia-Hung Chien 簡嘉宏
Advisor: Sy-Yen Kuo
1
Outline
• Quantum Cryptography in Network
– BBN, SECOQC, Tokyo
• Application
– Indirect QKD, Cloud Computing
– Commercial product
– Real application
2
BB84
• Alice sends Bob a stream of photons which have been
randomly polarized to one of four states (0o,45o,90o,135o).
• Bob measures the photons in a random sequence of basis.
• Alice and Bob publicly announces the sequence of basis
they used.
• Alice and Bob discard the results that have been
measured using different basis, the results left can be
used to derive a secret key.
3
SARG v.s. BB84
• Encoding basis
– BB84: { , } { , }
– SARG: { , } { , } { ,
– Quantum phases are the same
} {
,
}
• Strong against PNS attack
– non-orthogonal basis
4
Quantum Cryptography in Network
• Build up a network for distributing secrets out
of single point-to-point QKD-Links.
Single QKD-link
Additional two QKD-link
Alice
Bob
Charlie
• Quadratic scaling: O(n2) links for n users
5
DARPA Quantum Network
• First quantum encrypted functional network
6
Network Architecture
7
SECOQC QKD Network
• Quantum-Back-Bone (QBB) Network
– Deployed for test purposes in Vienna
• Quantum Access Networks (QAN)
– Free space link allows connectivity
8
QKD-Link Devices
•
•
•
•
•
•
Attenuated Laser Pulses (Id Quantique)
Coherent-One-Way (University of Geneva)
One-way, decoy states (Toshiba UK)
Entangled photons (University of Vienna)
Continuous Variables (Prof. Grangier)
Access Free Space Link (LMU of Munich)
– The “last mile“ (80 m, >10kbit/s)
9
Quantum Point-to-Point Protocol
• The interface to ensure seamless integration
and interoperation between different QKDLinks and node module
• Quantum Point-to-Point Protocol (Q3P) offers
– Authentication and encryption services
– Point-to-Point protocol between QBB nodes
– Manage key storage
10
QKD-RL and QKD-TL
• The QKD Routing Layer (QKD-RL) Protocol
– Manage the routing information
– Sensitivity and relative scarceness of key material
• The QKD Transport Layer (QKD-TL) Protocol
– Dealing with highly congested networks
– Exchange confidential and authentic information
across the network
11
Examples
12
Tokyo QKD Network
• NEC, Mitsubishi Electric, NTT, NICT, Toshiba Research Europe Ltd. (UK),
ID Quantique (Switzerland) All Vienna (Austria)
13
Network Layout
• Make use of JGN2plus
• Star network
Hakusan
Hongo
Koganei
Otemachi
14
Network Layer Structure
15
Network Layer
• Quantum Layer
– QKD Devices generate quantum keys via a pointto-point connection
• Key Management (KM) Layer
– KM agents collect and store the key
– KM server monitors the amount of key in each
agent and supervises the overall key distribution
• Communication Layer
– Using distributed keys for encryption and
decryption of text, audio or video data
16
Secure Video Conference
17
Experiments in Chunghwa Telecom
跳接線 各3對
A
1.5m.
ST<->ST
B
5m.
ST<->ST
F棟
35m.
C
35m.
FC<->ST
7
D
50m.
LC<->ST
6
5
FC Con.
量子實驗室
ST Con.
5m.
ST Con.
C棟
ST Con. 1.5m.
2
ST Con.
1
50m.
LC Con.
SDH/DWDM實驗室
T.L Fiber
18
id Quantique Clavis
19
id Quantique Clavis2 Architecture
20
A Typical Example
21
Phase Coding
22
Interferometer with “base” phase
shifters
23
Other Network Topology
channel A
channel B
channel C
channel D
• Node1 and Node2 can share secret key by
QKD channel A
• Node2 and Node3 can share secret key by
QKD channel B
• Can Node1 and Node3 share a theoretical-secure
secret key?
• Node2 can be trusted or non-trusted
24
Quantum Indirect Sharing Key
Trusted Third Party
Alice
Bob
Eve
• Topology: a quantum mobile device network.
• Problem: An unsafe routing path for indirect
communication.
• Difference: The deriving process is in the indirect
communication.
25
The Deriving Procedure
0.
1.
Alice and Bob initially share a testing table for verifying the key
Dick generates and distributes entangled qubits
a)
b)
2.
3.
4.
N EPR pairs for deriving key
N GHZ triplets for verifying key
Dick announces a random selection of the bases
Dick: Third Party
Alice and Bob can generate
a secret key by measurement
3
B
with the same bases
GHZ state
Alice, Bob and Dick verify the
key with GHZ triplets
4
Different location
on the routing
path.
B
5
Block Transmission
Alice
Bob
EPR Pair
1
2
Charlie
Fig. 1: Distribute B, EPR pairs and GHZ states.
26
Notation
• First N EPR pairs are denoted
by |E={|e1,12, |e2,12,…|en,12}
• The N GHZ states are denoted
by |G={|g1,345, |g2,345…|gn,345}
• The measurement bases is
denoted by B=[b1, b2, .., bn],
where bi{0, 1}.
Alice
0 means z-basis
1 means x-basis
Dick: Third Party
B
3
B
GHZ state
5
4
Block Transmission
Bob
EPR Pair
1
2
Charlie
Fig. 1: Distribute B, EPR pairs and GHZ states.
• Alice and Bob obtain C=[c1, c2, .., cn] and D=[d1, d2, .., dn]
by using B to measure |E
• According to the no-deterministic theorem, the measurement process is
random so the condition C=D is satisfied
27
The measurement of GHZ Triplet
Table 1: Correlation and anti-correlation of quantum secret sharing
Dick
Bob
Alice
+x
-x
+y
-y
+x
|0 + |1
|0 - |1
|0 - i|1
|0 + i|1
-x
|0 - |1
|0 + |1
|0 + i|1
|0 - i|1
+y
|0 - i|1
|0 + i|1
|0 - |1
|0 + |1
-y
|0 + i|1
|0 - i|1
|0 + |1
|0 - |1
• correlation
If Alice, Bob and Dick measure their qubit in GHZ triplet with the
x-basis, they will get a deterministic result |+xa |+xb |+xd
• anti-correlation
If Alice and Bob measure with the x-basis but Dick measure with the ybasis, they will not get a deterministic result
28
Verify the Key
Table 2: Testing table for GHZ state
C=D
CD
 
1
2
( 000  111 ) adb
Condition
Alice
Bob
Dick
Results
Odd
Verify
ci=0 & di=0
x
y
y
001,111,010,100
yes
Correct
ci=1 & di=1
y
x
y
001,111, 010,100
yes
Correct
ci=0 & di=1
x
x
y
00x,11x,01x,10x
x
Error
ci=1 & di=0
y
y
y
00x,11x, 01x,10x
x
Error
Alice measure with x-basis if ci=0, but Bob measure with y-basis if di=0
• For ci=0 and di=0, the measurement bases of Alice, Bob and David are
corresponding to x-basis, y-basis and y-basis.
Four possible results are 001,111, 010 and 100.
After Alice and Bob announce their measurement outcome, Dick
accumulates the outcome to verify the key.
29
Summary
• To generate a quantum key is random, because the
measurement outcome of EPR pairs is random.
• We do not need to transmit classical information and
quantum information for generating a quantum key.
• The topology is indirect communication that can
satisfy with the mobility of the quantum mobile
devices.
30
Quantum Transmission
Mechanism for Detection
• Quantum information may be attacked by
eavesdroppers and malicious nodes on the routing
path.
• This new mechanism can transmit quantum message
and detect malicious node at the same time.
Honest?
Detection Mode
Message Mode
Alice
Charlie
Bob
31
The Mechanism
1. Initially, Alice and Bob share a quantum verification
table.
|123
|000
|001
|010
|011
|100
|101
|110
|111
N1N2N3
b1b2b3
b1b2b1
b1b2b1
b1b3b2
b2b1b3
b2b3b1
b3b1b2
b3b2b1
Sequence
01010011
01100101
11001010
01101010
11110000
01100110
10100101
00001111
|123 denotes index for handshaking
between Alice and Bob
N1N2N3 denote the measurement bases
corresponding to Alice, Charlie and Bob
The sequence denotes the mode of
qubits transmitted to Bob
0 represents for detection mode
1 represents for message mode
32
The Mechanism
2. In detection mode, Alice will generate three
entangled qubits denoted by |123, and send |23
to Charlie. Charlie pass |3 to Bob.
3. In message mode, Alice will encode message in |5
and send |45 to Charlie. Charlie pass |5 to Bob.
Symbos 1, 2 and 3 denote entangled
qubits for detection mode
Symbos 4 and 5 denote superposition
qubits for message transmission
Detection mode
1
2
3
Alice
Charlie
Bob
4
5
Message mode
Quantum Verification Table
33
The Mechanism
4. According to the content of N1N2N3, Bob sends the
measurement basis to Charlie
5. Charlie sends his measurement outcomes to Alice
and Bob
6. Alice and Bob perform the verification on the bits of
detection mode to check whether Charlie is honest
or not
7. If Charlie is honest, Bob can accepts the message
encoded in the bits of message mode
Otherwise, the transmission is stopped.
34
Detection and message modes
 
1
( 000  111 )123
2
1
2
1010
10100110
Alice
Charlie
Quantum Verification Table
3
10101100
Bob
01010110
4
5
Quantum
Verification
Table
1.Send qubits 2.Announce Bases
3.Announces outcomes 4.Verify Result
|123
N1N 2N3
Sequence
|000
b1b2b3
01010011
|001
b1b2b1
00001111
|010
b1b2b1
11001010
|011
b1b3b2
01101010
|100
b2b1b3
11110000
|101
b2b3b1
01100110
|110
b3b1b2
10100101
|111
b3b2b1
00001111
35
Summary
• The intermediate node has no capability to
differentiate which qubit belongs to quantum
superposition or quantum entanglement.
• The intrusive behavior from malicious node can be
detected.
• So the security of transmission integrity can be
achieved.
36
Quantum Private Queries
• Problem: Symmetrically Private Information Retrieval
• Protect Alice’s privacy and Bob’s information
– prevent him from reading her queries without risking capture
– prevent her from obtaining more than a few answers for each
database query
37
Quantum Encrypted Computation
• Alice needs data f(y), and Bob is the server providing the
service.
f ( x)  f ( x  y) z  f ( x)  f ( x)  f ( y) z  f ( y)
z
• Hermition Matrix
is OK
• Unitary Matrix
not sure
38
Obstacles of Quantum Cryptography
• The point-topoint paradigm
– Quadratic scaling with the number of users
– Dedicated fiber optic line with NO repeaters
– Short distance quantum channel
– Free air transmission require a clear line of sight
• The integrability in existing networks
– Price and reliability of QKD, missing standards
• QKD appears to be restricted to
a relatively narrow niche market
– SmartQuantum in France is bankrupt
39
QKD in application
• Even in applications in which it can be used, it
may not be the preferred option for
establishing secure communication due to its
cost, size, inconvenience and limitation
• More serious problem
– How to deal with side channel attacks in its
theoretical proofs of security
Adi Shamir’s talk in UQCC 2010
40
QKD for Cloud Computing?
Data has to be securely sent for remote processing
•
•
•
•
On an unknown computer
At an unknown location
Which is typically at a far away location
That changes frequently
Adi Shamir’s talk in UQCC 2010
41
Today’s Encrypted Networks
Private
Enclave
Private
Enclave
End-to-End Key Distribution
by Courier or Mathematics
VPN
Endpoint
VPN
Endpoint
IPsec
Protocol Suite
IPsec
Protocol Suite
Crypto
Crypto
Red
IP
Red
Link
Traffic in
the Clear
End-to-End Encrypted Traffic
Black
IP
Black
Link
Red
Black
Physical Physical
Black
IP
Black
Link
Encrypted &
Authenticated Traffic
(via IPsec)
Encrypted &
Authenticated Traffic
(via IPsec)
Red
IP
Red
Link
Black
Red
Physical Physical
Traffic in
the Clear
42
Major Cryptosystems
• RSA-512
– Invented in 1977, broken by NFS developed 1990
• DES
– Standardized in 1977, broken by Diff’l Cr in 1990
• SHA-1
– Developed in 1992, broken by Wang in 2005
• AES-256
– Developed in 1996, broken at Asiacrypt 2009
• KASUMI
– Proposed at FSE 1997, broken at Crypto 2010
43
Future Secure Communication
• Dedicated high-end symmetric encryptors
with frequent key change
• Fresh key being constantly generated by QKD
devices
Information is physical
-- Rolf Landauer
44
Commercial QKD
MagicQ
45
id Quantique
• id Quantique (IDQ) created in Geneva in 2001
• Product
– Centauris: high-speed layer 2 encryption
– Cerberis: high-speed encryption based on the
proven Advances Encryption Standard (AES)
– Clavis2: QKD devices
Centauris
Cerberis
Clavis2
46
MagiQ
• Founded in 1999, U.S. owned and private
• Spectrum: 10 Tech Companies for the Next 10
Years
• Customers
47
Swiss election in Geneva
• First real-world use of quantum cryptography
(Oct 2007)
• Using Commercial Quantum Cryptography System
(Cerberis ) by id Quantique
• Secure the relay of sensitive election data
48
2010 FIFA World Cup
• Durban, South Africa – The first use of ultra
secure quantum encryption at a world public
event
49
Quantum Key in Mobile
50
Satellite Communication
51
Conclusion
• The cost for QKD is high, but it is worth
• Short-term challenges and long-term challenge
are quite different
– Short-term: integrate QKD in classical networks
– Long-term: quantum repeaters, apply in outer space
• Quantum cryptography can be combined with
modern cryptography to realize a sound and
practical security
52
Thank you for your attention 
53
• A target market of quantum based
communication solutions for organizations
with distributed subsidiaries/facilities such as
governmental institutions, companies and
banks is envisaged
54
• Network nodes are considered to be situated
in secure locations and are connected by
QKDLinks.
55
Reference
• SARG04: V. Scarani et al., PRL 92, 057901
(2004)
• Peev M et al 2009 The SECOQC quantum key
distribution network in Vienna New J. Phys. 11
075001
56
DARPA Quantum Network
• First quantum encrypted functional network
BBN lab
Harvoard U
Boston U
57
Outline
• Quantum Cryptography Protocol
– BB84, SARG
• Quantum Cryptography in Network
– Tokyo, SECOQC, BBN
• Commercial Product
– IdQuantique, MagiQ, Smart Quantum
• Application
– Indirect, Cloud Computing, Real Application
58